Updated: March 31, 2021 8:19:39 am
Gurgaon-based mobile payments and digital wallet company MobiKwik on Tuesday said it would get a third-party forensic data security audit done after allegations of a data breach containing the company’s users’ details resurfaced. Cybersecurity experts claimed that the data of as many as 10 crore MobiKwik users had been leaked and put up for sale on darkweb.
“The company is closely working with requisite authorities on this matter, and considering the seriousness of the allegations will get a third party to conduct a forensic data security audit. For its users, the company reiterates that all MobiKwik accounts and balances are completely safe,” the company said in a statement.
Though the details of the alleged leak have been in public domain for over a month now, the issue gained prominence on Monday after the so-called data dump was said to be posted for sale on darkweb. Later, a link with a search bar, where anyone could search if their phone number or email address and other details was present in the data dump, was available on the darknet.
The Indian Express was independently able to verify and search within the said link the names, email addresses, phone number and other details for some of the users.
Tuesday was the second instance of the company issuing a denial and claiming that all the accounts and user information with it were completely safe. In February, when the alleged data breach was first reported by Twitter user Rajshekhar Rajaharia, who claims to be an independent cybersecurity researcher, the company had said he was “ desperately trying to grab media attention”.
“We thoroughly investigated his allegations and did not find any security lapses. Our user and company data is completely safe and secure. The various sample text files that he has been showcasing prove nothing. Anyone can create such text files to falsely harass any company. Finally, our legal team will be pursuing strict action against this so-called researcher who is trying to malign our brand reputation for ulterior motives,” MobiKwik had said on Twitter.
The firm, however, did not detail what legal action it was planning and whether any action had been taken over the past month. In another blogpost Tuesday, the company said although some users had reported that their data was visible on darkweb, it was “entirely possible that any user could have uploaded her/ his information on multiple platforms”. “While we are investigating this, it is entirely possible that any user could have uploaded her/ his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the darkweb has been accessed from MobiKwik or any identified source,” a company blogpost said.
India does not have a robust mechanism for user data protection and penal actions, if any, in cases of data breaches. The Personal Data Protection Bill, which is said to contain provisions dealing with the same has been pending in Lok Sabha since 2019. A Joint Parliamentary Committee, which was initially supposed to submit its report on the Bill by March, has sought extension till the first week of Parliament’s Monsoon session.
In the absence of the Bill, the Information Technology Act of 2000 and the rules made in 2011 form a regime of data protection, which several experts have said are inadequate.
“In case of foreign companies, if a breach happens, they accept it and inform the users. Most Indian companies do not acknowledge such breaches, let alone inform the user that the database had been breached,” independent cybersecurity expert Indrajeet Bhuyan said.
📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines
- The Indian Express website has been rated GREEN for its credibility and trustworthiness by Newsguard, a global service that rates news sources for their journalistic standards.